30 April 2019

At the Certified Senders Alliance summit in Cologne Germany, CAUCE president John Levine talks about international email and its security.

John explained that, EAI is being used by literate computer users who cannot read English characters. He gave India as an example? in the state of Rajasthan, the Indian government is currently handing out email addresses in Hindi.

In the past, email addresses were all ASCII, but now they can be in UTF-8 encoded Unicode. A complication with Unicode is that there can be several ways to create a Unicode character (e.g. an ?can either be encoded as a character in its own right, or as an a followed by an accent). For human readers, this makes no difference to understanding the character, but for computers that can be difficult.

Some mail systems accept EAI mail, but many still don't. As a result, EAI senders need to be prepared for their email to fail if they are sending to ASCII recipients.

Avoid mixed scripts. In theory, an address could combine a Chinese character, and Arabic, Cyrillic, etc., but combining them is bad practice. It is unreadable and impossible to type. While compatible scripts are ok (e.g. the three scripts used to write Japanese), mixed scripts should be treated very skeptically by spam filters.

Variant characters (e.g. different version of Chinese characters).

Challenges

Long domain names: there are top-level domains names as long as 24 characters.

Several ways to write the same character (is it ?or a + ? ?). If it is possible to combine the elements into a single pre-defined character, it is better to do so.

Punctuation is possible in local parts: it is allowable, but not advisable.

It is technically legal to use an emoji in an email address. This should be avoided. An email address must be easy to read and to type. Two different emojis with slightly different skin tones are not easy to differentiate or type.

Conclusion

EAI is on the way. It is going to be popular, particularly in countries like Thailand and India, where there is a literate population that does not read or write English. And finally, it is not difficult, but it is important to get ready.

04 February 2019

Spam infrastructures have evolved to become formidable means of delivery of a diverse and growing set of cyber attacks, from financial fraud and business compromise to political influence and malware campaigns. Central to these attacks is an ever increasing dependency on and exploitation of domain names and the domain name system (DNS).

We welcome Dave Piscitello, formerly VP of Security at the Internet Corporation for Assigned Names and Numbers (ICANN) to the CAUCE Board. Since 2005, Dave has been practicing at the nexus of domain abuse and mitigation. He has been instrumental in bringing operational security, law enforcement, and Internet Identifier communities together to confront abuses of the Internet name space. Dave has sought to raise cross-community awareness of abuses and misuses of domain names and the DNS by studying and calling attention to policy vacuums and weaknesses, by promoting abuse reporting systems that can help governance bodies and lawmakers make informed decisions , and by delivering DNS investigations training programs for law enforcement.

09 December 2017

With the rapid evolution of spam and threats to consumers CAUCE has recruited two industry veterans to round out our board and continue being the consumer voice to Law Enforcement and Regulatory communities around the world.

We would like to welcome Allison Nixon, Director of Security Research at Flashpoint and Tom Grasso, Supervisory Special Agent at the FBI to the CAUCE board.

Allison is a threat researcher, verifier of leaks, and hunter of humans. She has been a background source for numerous investigations and articles that focus on the post-breach issue of "who dunnit?". She performs original threat research and is at the forefront of answering questions that people have not yet thought to ask. In 2013, she spoke at Blackhat about bypassing DDOS protection. In 2014, she released a paper detailing methods for vetting leaked data. She has been looking into the issue of "booters" and DDOS services. She researches DDOS attribution, cybercrime attribution, and criminal communities. In her spare time she grows tomatoes and makes puns.

Tom has been a FBI Agent since 1998 and has worked for the FBI’s Regional Computer Crime Squad in Chicago and the High Technology Crimes Task Force in Pittsburgh. He has also served as the FBI Liaison to the CERT/CC at Carnegie Mellon University. Mr. Grasso is now part of the FBI’s Cyber Division and is assigned to the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, a joint partnership between law enforcement, academia, and industry. Mr. Grasso is also an Adjunct Professor of Criminology at La Roche College in Pittsburgh.

It goes without saying that we are all very excited with these additions.

24 October 2017

Verbal comments by Neil Schwartzman, Executive Director and Matthew Vernhout, Director-at-large of the Coalition Against Unsolicited Commercial Email to the Standing Committee on Industry, Science and Technology, Ottawa, October 24, 2017

Neil Schwartzman

With apologies to The Bard of Avon,

Friends, Parliamentarians, countrymen, lend me your ears;

I come to praise CASL, not to kill it.

The evil that critics of CASL do lives with them;

The good is imbued in its sections;

So let it be with CASL.

CASL’s noble adversaries may tell you the law is too ambitious, as If it was a grievous fault.

CASL enshrines the work of 2005's federal task force on spam, best practices found in our final report are now global industry standards. Best practices do nothing without holding bad players accountable.

CASL is a crowd-sourced law, taking input from hundreds, working tens of thousands of hours. The Messaging Anti-Abuse Working Group, MAAWG, is a one hundred eighty five member industry association of companies such as Apple, Facebook, Google, Amazon, and Bell Canada. MAAWG participated inthe CASL process and sent a letter to the Prime Minister urging passage of the law.

My name is Neil Schwartzman, I am the executive director of CAUCE, the coalition against unsolicited commercial email. I wrote the world’s first distributed spam filter, and 20 years later, here we are.

I am a management consultant; my clients include the world’s largest company and the world’s biggest sender of email, and I teach cyber investigation methods to international law enforcement.

Spam filtering costs recipients 20 billion dollars a year according to researchers at Microsoft and Google, and the fact is spam has become much worse of late, ransomware and phishing payloads are vicious.

Affiliate spam, 90% of the pouriel hitting our networks is a open sewer spraying 1 BILLION messages per hour at our families, friends and colleagues.

Unsolicited junk email, texts and phonecalls from Wal-Mart, DirecTV, and Fidelity are some of the affiliate spam sent by third parties earning commissions from the brand. CASL was purpose-built to remedy such activity.

Studies and data have proven CASL is protective shield to the spam coming into, and out of Canada.

Law enforcement can’t possibly investigate - nor do they know about - all spam attacks. CASL’s Private Right of Action, a right integral to America’s CANSPAM Act, has been suspended, lamentably preventing Canadian ISPs, businesses and organizations from seeking compensation for damages to their networks and users.

Declarations of CASL’s damaging effects are laughable. The OECD has projected Canada’s 2018 economic growth outlook to be the best of the G-7; Quebec enjoys their lowest unemployment rate in three decades.

Yes, legitimate companies bear costs to become compliant, just as when PIPEDA came into force.

Business must be vigilant - data breaches occur daily, business email compromise results in losses in the hundreds of millions. CASL defines the modern standards of data integrity and permission companies must maintain in the global economy. The EU’s updated GDRP privacy law comes into effect in 2018. Failing to maintain parity will put us at a severe economic disadvantage.

In two cases prosecuted by the CRTC, the marketing departments of Rogers and Kellogg's were found to bought spam email lists from third party firms.

Why are spammers afraid of CASL and trying to gut it of effectiveness? Because it is working. We will hear from my colleague Matt who is a 20-year marketing professional, who has data proving marketing has grown in volume and effectiveness under CASL.We keep hearing about chilling effects, yet, our economy is growing, marketing is more effective. Chilling? I’m feeling rather warm.

CASL is so frightening to spammers, that they lobby Canada’s law enforcement and legislators. American groups with direct business interests to shady, black-hat spamming groups will make presentations to this very body.

With this in mind, I exhort you to leave CASL intact. Adjust, yes, clarify, no doubt, but do not come here to kill CASL. Do Caesar proud.

Thank you.

Matthew Vernhout

Good Afternoon, to our distinguished Members of Parliament thank you for inviting us to speak with you today.

My name is Matthew Vernhout, I am here on behalf of the CAUCE. In my professional capacity I am the Director of Privacy and Industry Relations for email analytics firm 250ok, the Chair of the Email Experience Council’s Advocacy committee, and an active member of the global email marketing community. I participated in the drafting of America’s CAN-SPAM act and had the pleasure of speaking to this Committee in support of CASL in 2009.

I have published dozens of articles, been quoted in the press, spoken at numerous industry events, and consulted with some of North America’s top brands regarding CASL compliance.

In fact, one of the comparative benchmark reports I authored for ISED; was recently cited in the CRTC decision on the constitutional challenge by CompuFinder.

The positive effects of CASL on the email industry are remarkable.

I am delighted to say analysis finds the email industry thriving and experiencing significant growth. Businesses ensure they have recipient consent and they are seeing the positive benefits of those efforts.

A common trend has emerged from several reports published in the past three years: more messages are delivered to Canadian consumers inboxes post-CASL, due to better list management practices and increased consumer trust.

A recent industry report shows that two countries with the toughest anti-spam legislation, Canada and Australia, also have the best deliverability of commercial emails to inboxes in the G-8 countries studied.

The basic framework of CASL is a series of email marketing best practices that have been the basis of most of my consulting efforts over the past seventeen years:

•Ask permission first

•Honour opt-outs

•Be clear of who you are and why you are writing to your customer.

CASL has taken these ideas made them the law of the land.

As my colleague stated, CASL is working to diminish spam, moreover, it is working to make legitimate email marketing more successful, and more effective.

There is far too much baseless fear, uncertainty and doubt being spread by the naysayers of CASL, who are neither anti-abuse nor marketing professionals.

When I speak with marketers about their compliance efforts and the changes that they make to their digital marketing I often hear, “This is a lot of work, but isn’t nearly as difficult as I thought it would be.”

However, we still have a long road ahead of us. The Spam Reporting Centre receives 6,000 complaints per week, totalling more than one million complaints since 2014.

For example, the blacklist operators SURBL notes that there are currently 70 DOT C A domains spamming counterfeit goods scams to Canadians.

There are also active spam gangs set up on hosting providers in Montréal, Hamilton, and Vancouver.

Regarding the PRA suspension, this renders CASL toothless. I recommend the PRA be revisited to allow network operators who carry the cost of spam to avail themselves of redress.

In closing, it is our hope that the law remains a strong and viable tool to protect email marketing, networks, and consumers from unwanted spam messaging.

Canadians, like all consumers, deserve nothing less.

Update

TO: INDU@parl.gc.ca

October 28, 2017

To whom it may concern,

We are forwarding an electronic message from Deborah Evans of Rogers Media Inc.

The undertaking that RMI signed with the CRTC on November 26, 2015 reads, in part:

AND WHEREAS the CCEO has advised RMI that Commission Staff is of the view that express consent is required to send commercial electronic messages on behalf of unknown third parties. More specifically, Commission start is of the view that implied consent cannot be relied upon to send commercial electronic messages on behalf of unknown third parties, without obtaining prior specific express consent in accordance with the Act, Regulations and Regulations (CRTC);

Should anyone see daylight between our stated position and that of RMI, we would wish to correct the record. Ms. Evans’ email reads as follows: